33 #include <xercesc/dom/DOM.hpp>
34 #include <xsec/canon/XSECC14n20010315.hpp>
35 #include <xsec/utils/XSECPlatformUtils.hpp>
71 const dsig::SignatureType::IdOptional &idOptional = signature->id();
72 if ( !idOptional.present() )
74 if ( idOptional.get().empty() )
102 SignatureException resultException(__FILE__, __LINE__,
"Signature is invalid");
107 checkQualifyingProperties();
125 checkSigningCertificate();
135 throw resultException;
150 X509Cert cert = getSigningCertificate();
154 X509_scope issuerCertScope(&issuerCert);
155 if(issuerCert == NULL)
165 if(ocspConf.
issuer.empty())
167 SignatureException
e(__FILE__, __LINE__,
"Failed to find ocsp responder.");
181 std::auto_ptr<Digest> calc(
new Digest());
182 calc->
update(getSignatureValue());
203 std::vector<std::string> result;
204 const dsig::SignedInfoType::ReferenceSequence &refSeq = signature->signedInfo().reference();
205 for(dsig::SignedInfoType::ReferenceSequence::const_iterator
i = refSeq.begin();
206 i != refSeq.end(); ++
i)
207 result.push_back(
i->digestMethod().algorithm());
220 for(
unsigned int i = 0;
i < bdoc.documentCount(); ++
i)
228 std::auto_ptr<Digest> calc(
new Digest());
229 std::vector<unsigned char> digest = doc.
calcDigest(calc.get());
230 DEBUGMEM(
"digest", &digest[0], digest.size());
231 addReference(uri, calc->getUri(), digest);
243 setSigningCertificate(signer->getCert());
244 setSignatureProductionPlace(signer->getSignatureProductionPlace());
245 setSignerRole(signer->getSignerRole());
253 xml_schema::Uri uri(URI_ID_RSA_SHA1);
254 switch(signer->type())
256 case NID_sha224: uri = xml_schema::Uri(URI_ID_RSA_SHA224);
break;
257 case NID_sha256: uri = xml_schema::Uri(URI_ID_RSA_SHA256);
break;
258 case NID_sha384: uri = xml_schema::Uri(URI_ID_RSA_SHA384);
break;
259 case NID_sha512: uri = xml_schema::Uri(URI_ID_RSA_SHA512);
break;
262 signature->signedInfo().signatureMethod(dsig::SignatureMethodType(uri));
265 std::auto_ptr<Digest> calc(
new Digest());
266 std::vector<unsigned char> digest = calcDigestOnNode(calc.get(), XADES_NAMESPACE,
"SignedProperties");
267 addReference(
"#" + getId() +
"-SignedProperties", calc->
getUri(), digest,
"http://uri.etsi.org/01903#SignedProperties");
270 calc.reset(
new Digest(signer->type()));
271 return calcDigestOnNode(calc.get(), URI_ID_DSIG,
"SignedInfo");
284 std::vector<unsigned char> sha = prepareSignedInfo(signer);
291 size =
X509Cert(signer->getCert()).getPaddingSize();
298 std::vector<unsigned char>
buf(size);
300 signer->sign(sigDigestSha, signatureShaRsa);
301 setSignatureValue(signatureShaRsa);
312 checkSignatureValue();
320 checkSignatureMethod();
329 std::string algorithmType = getSignatureMethod();
330 if ( algorithmType != URI_ID_RSA_SHA1 &&
331 algorithmType != URI_ID_RSA_SHA224 &&
332 algorithmType != URI_ID_RSA_SHA256 &&
333 algorithmType != URI_ID_RSA_SHA384 &&
334 algorithmType != URI_ID_RSA_SHA512 )
345 dsig::SignedInfoType& signedInfo = signature->signedInfo();
346 dsig::SignedInfoType::ReferenceSequence& refSeq = signedInfo.reference();
348 if ( refSeq.size() != (bdoc.documentCount() + 1) )
352 , refSeq.size(), bdoc.documentCount() + 1);
357 bool gotSignatureRef =
false;
358 for ( dsig::SignedInfoType::ReferenceSequence::const_iterator itRef = refSeq.begin()
359 ; itRef != refSeq.end()
363 const dsig::ReferenceType& refType = (*itRef);
365 if ( isReferenceToSigProps(refType) )
368 if ( gotSignatureRef )
372 gotSignatureRef =
true;
374 checkReferenceToSigProps(refType);
378 if ( !gotSignatureRef )
384 checkReferencesToDocs(refSeq);
394 X509Cert x509 = getSigningCertificate();
396 dsig::SignatureType::ObjectSequence
const& objs = signature->object();
397 if ( objs.size() != 1 )
400 dsig::ObjectType::QualifyingPropertiesSequence
const& qProps = objs[0].qualifyingProperties();
401 if ( qProps.size() != 1 )
404 xades::QualifyingPropertiesType::SignedPropertiesOptional
const& sigProps = qProps[0].signedProperties();
405 if ( !sigProps.present() )
408 xades::SignedSignaturePropertiesType::SigningCertificateOptional
const& sigCertOpt = sigProps->signedSignatureProperties().signingCertificate();
409 if ( !sigCertOpt.present() )
412 xades::CertIDListType::CertSequence
const&
certs = sigCertOpt->cert();
413 if ( certs.size() != 1 )
416 dsig::DigestMethodType::AlgorithmType
const& certDigestMethodAlgorithm = certs[0].certDigest().digestMethod().algorithm();
418 THROW_SIGNATUREEXCEPTION(
"Unsupported digest algorithm %s for signing certificate", certDigestMethodAlgorithm.c_str());
420 dsig::X509IssuerSerialType::X509IssuerNameType certIssuerName = certs[0].issuerSerial().x509IssuerName();
421 dsig::X509IssuerSerialType::X509SerialNumberType certSerialNumber = certs[0].issuerSerial().x509SerialNumber();
426 DEBUG(
"certIssuerName: \"%s\"", certIssuerName.c_str());
428 DEBUG(
"sertCerials = %s %s", x509.
getSerial().c_str(), certSerialNumber.c_str());
437 xades::DigestAlgAndValueType::DigestValueType
const& certDigestValue = certs[0].certDigest().digestValue();
439 std::auto_ptr<Digest> certDigestCalc(
new Digest(certDigestMethodAlgorithm));
442 std::vector<unsigned char> derEncodedX509 = x509.
encodeDER();
443 certDigestCalc->
update(&derEncodedX509[0], (
unsigned int)derEncodedX509.size());
444 std::vector<unsigned char> calcDigest = certDigestCalc->
getDigest();
446 if ( certDigestValue.size() !=
static_cast<size_t>( certDigestCalc->
getSize() ) )
451 for (
size_t i = 0; i < static_cast<size_t>( certDigestCalc->
getSize() ); ++
i )
453 if ( calcDigest[
i] != static_cast<unsigned char>(certDigestValue.data()[
i]) )
455 DEBUGMEM(
"Document cert digest", &(certDigestValue.data())[0], certDigestValue.size());
456 DEBUGMEM(
"Calculated cert digest", &calcDigest[0], calcDigest.size());
467 dsig::ObjectType::QualifyingPropertiesSequence
const& qProps = signature->object()[0].qualifyingProperties();
468 if ( qProps.size() != 1 )
470 if ( qProps[0].target() !=
"#" + signature->id().get() )
473 checkSignedSignatureProperties();
475 if ( qProps[0].unsignedProperties().present() )
477 xades::QualifyingPropertiesType::UnsignedPropertiesType uProps = qProps[0].unsignedProperties().get();
478 if ( uProps.unsignedDataObjectProperties().present() )
480 if ( !uProps.unsignedSignatureProperties().present() )
490 const xades::SignedSignaturePropertiesType& signedProps = getSignedSignatureProperties();
491 xades::SignedSignaturePropertiesType::SignaturePolicyIdentifierOptional policyOpt = signedProps.signaturePolicyIdentifier();
492 if ( policyOpt.present() )
505 X509Cert signingCert = getSigningCertificate();
506 std::vector<digidoc::X509Cert::KeyUsage> usage = signingCert.
getKeyUsage();
509 if( !signingCert.
verify() )
524 const dsig::ReferenceType::TypeOptional& typeOpt = refType.type();
526 if ( typeOpt.present() )
528 std::string typeAttr = typeOpt.get();
534 if((typeAttr.find(
"http://uri.etsi.org/01903") == 0)
535 && (typeAttr.rfind(
"#SignedProperties") == (typeAttr.length() - std::string(
"#SignedProperties").length())))
551 const dsig::ReferenceType::URIOptional& uriOpt = refType.uRI();
553 if ( !uriOpt.present() )
571 const dsig::DigestMethodType& digestMethod = refType.digestMethod();
572 const dsig::DigestMethodType::AlgorithmType& algorithm = digestMethod.algorithm();
576 THROW_SIGNATUREEXCEPTION(
"reference to SignedProperties digest method algorithm '%s' is not supported", algorithm.c_str());
580 const dsig::DigestValueType& digestValue = refType.digestValue();
595 std::auto_ptr<Digest> calc(
new Digest(refType.digestMethod().algorithm()));
597 std::vector<unsigned char> calculatedDigestValue = calcDigestOnNode(calc.get(), XADES_NAMESPACE,
"SignedProperties");
599 if ( digestValue.begin() + calculatedDigestValue.size() != digestValue.end() )
604 for (
size_t i = 0;
i < calculatedDigestValue.size();
i++ )
606 const char* dv = digestValue.begin() +
i;
607 if ( *dv != static_cast<char>(calculatedDigestValue[
i]) )
609 DEBUGMEM(
"Document digest:", &digestValue.data()[0], digestValue.size());
610 DEBUGMEM(
"Calculated digest:", &calculatedDigestValue[0], calculatedDigestValue.size());
625 std::vector< size_t > docNumberList;
626 size_t docCount = bdoc.documentCount();
627 for (
size_t i = 0;
i != docCount;
i++ )
629 docNumberList.push_back(
i );
633 for ( dsig::SignedInfoType::ReferenceSequence::const_iterator itRef = refSeq.begin()
634 ; itRef != refSeq.end()
638 const dsig::ReferenceType& refType = (*itRef);
640 if ( !isReferenceToSigProps(refType) )
644 const dsig::ReferenceType::URIOptional& uriOpt = refType.uRI();
645 if ( !uriOpt.present() )
649 std::string docRefUri(uriOpt.get());
651 if ( !docRefUri.empty() && docRefUri[0] ==
'/' )
653 docRefUri.erase( 0, 1 );
657 bool foundDoc =
false;
658 for ( std::vector< size_t >::iterator itDocs = docNumberList.begin()
659 ; itDocs != docNumberList.end(); itDocs++ )
661 Document doc = bdoc.getDocument( (
unsigned int)*itDocs );
665 docNumberList.erase( itDocs );
666 checkDocumentRefDigest( doc, doc.
getFileName(), refType );
680 if ( !docNumberList.empty() )
694 const dsig::DigestMethodType& digestMethod = refType.digestMethod();
695 const dsig::DigestMethodType::AlgorithmType& algorithmType = digestMethod.algorithm();
700 , documentFileName.c_str(), algorithmType.c_str());
703 std::auto_ptr< Digest > docDigest;
706 docDigest.reset(
new Digest(algorithmType));
712 , documentFileName.c_str(), algorithmType.c_str());
715 std::vector<unsigned char> docDigestBuf = doc.calcDigest(docDigest.get());
718 const dsig::DigestValueType& digestValueType = refType.digestValue();
719 const unsigned char* refDigest =
reinterpret_cast<const unsigned char*
>(digestValueType.data());
723 if ( docDigestBuf.size() != digestValueType.size()
724 || memcmp(&docDigestBuf[0], refDigest, docDigestBuf.size()) != 0 )
726 DEBUGMEM(
"Claimed digest", refDigest, digestValueType.size());
727 DEBUGMEM(
"Calculated digest", &docDigestBuf[0], docDigestBuf.size());
730 , documentFileName.c_str());
742 DEBUG(
"SignatureBES::checkSignatureValue()");
746 X509Cert cert = getSigningCertificate();
750 std::auto_ptr<Digest> calc(
new Digest(getSignatureMethod()));
751 std::vector<unsigned char> sha = calcDigestOnNode(calc.get(), URI_ID_DSIG,
"SignedInfo");
752 DEBUGMEM(
"Digest", &sha[0], sha.size());
755 std::vector<unsigned char> signatureShaRsa = getSignatureValue();
758 bool valid = rsa.verify(calc->getMethod(), sha, signatureShaRsa);